Tagged Questions

Cipher block chaining (CBC) is a method for encrypting large amounts of data with a block cipher that can only encrypt fixed length plaintexts. When used with an unpredictable initialization vector (IV), it is secure against chosen plaintext attacks (CPA-secure).

Padding oracle attacks are a huge nuisance when using CBC mode encryption without authentication. Wouldn't all those padding oracle attacks be avoided if we'd just use bit padding instead? Or is does ...

SSL 3.0 and TLS 1.0 used an insecure scheme to generate implicit IVs when encrypting records in CBC mode: they used the last part of the previous record, a value that can be predicted by the attacker. ...

I use AES both CBC and CBC-MAC to encrypt some stuff. I generate one key for CBC and one different key for CBC-MAC.
Does the second key (for CBC-MAC) need to be secret?
How to join such key with the ...

As I understand it, CTS pads the last block and swaps it with the second last to compensate for a partial block of data. I have written a DRBG (Deterministic Random Bit Generator) using AES-CBC that ...

I have a hypothetical encryption scheme where somebody uses the one-time pad in CBC mode. That is, the block cipher is $E(k, m) :=k⊕m$, and that block cipher is used in CBC mode.
Now, I am assuming ...

I'm trying to analyze the strength of a block cipher with CBC mode or with ECB mode on the scenario of an exhaustive search attack with knowledge of pairs of plaintext – ciphertext (known plaintext ...

Going through the wiki for modes of operation I see that the section error propogation says that an error in one block in the ciphertext in CBC mode only impacts two blocks. I do not quite get that. ...

I have read an article about an attack on LUKS in CBC mode and had a look at the WP article about CBC and now I am confused. If I have understood that correctly then changing the plaintext of a block ...

What is the best way to use standard AES with a 128-bit block size to act as a 256-bit block cipher? I am aware of CMC and EME which seem to serve this purpose, but they seem to be more complicated ...

The question came up here, which left me thinking:
Is it possible to deduce the IV from CBC ciphered data, without knowing the key?
And if not, why is it considered a bad idea to create an IV by, for ...

I want to decrypt a file that has been encrypted using AES-128 in CBC mode using OpenSSL. I got the “.key” file – which is 32 digits – but when I try to decrypt with OpenSSL, the program asks me for ...

I have an embedded device with a AES CBC engine on it that is used to ensure the integrity of the firmware. I know that CBC mode requires unique IVs to be any good, but I'm unsure if it makes a large ...

We're building a stateless RESTful API that relies on the content of OAuth2 tokens to identify users and what they have access to. Users authenticate with other means and are given a token, which they ...

Why is it necessary to use a sufficiently long block size when implementing a CBC block cipher with a truly random initialization vector? In ECB mode it's easy to get information about the message if ...

Perhaps I don't understand the answers to Malleability attacks against encryption without authentication, so trying to be more concrete... please be patient.
If I want to change the first block and I ...

I'm trying to brute force a 3DES problem given a reduced keyspace (ie I know the first half of the key) but with an unknown IV. The code decrypts to plaintext. My first thought was that I could set ...

Theoretically, when using a symmetric block cipher in CBC mode, the current block is dependent on the previous block. Suppose one plaintext is encrypted using CBC, and then one bit of it is changed, ...

Is there a definied keysize to be used with the "AES_256-CBC" method in PHP, and what is the size?
Some background:
I want to store encrypted text into a PostgreSQL database. The user who posts the ...

How does a cracker know if they've broken CBC or stream encryption? With hashe cracking one would know because you have the password that you started with to test. But for CBC decryption, you have a ...

I'm currently working with a secure transport protocol that defines the IV to be a counter (incremental nonce) to be encrypted with the same key. This is a followup to a protocol that did not provide ...

Given a message $M$ and a cryptographic hash function $H$, let $f(M) = E_K(M || H(M))$ where $E_K$ is AES-128-CBC encryption with PKCS#5 padding. Take $H = \textrm{SHA-256}$ if it matters. In other ...

I have a fairly simple Python program using PyCrypto to use AES+CBC to encrypt a stream of input. In order to adhere to the 16-byte input size multiple, I've implemented PKCS#7 by hand. (While I know ...

I am encrypting files for storage in an untrusted location, using a custom Java program to do that. There is only one user, but there are many files.
I am using AES in CBC mode with PKCS5 padding, and ...